Heuristic account fraud detection engine

ABSTRACT

A heuristic engine includes capabilities to collect an unstructured data set and detect instances of transaction fraud in a financial account. By providing a heuristic algorithm with unstructured transaction sets and indications of particular instances of transactions that correlate with past fraudulent activity allows prevention of future occurrences of fraud. Such heuristic algorithms may learn from past indications of fraudulent activity and improve accuracy of detection of future fraud detections.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of, and claims priority to, U.S.patent application Ser. No. 16/997,741, filed on Aug. 19, 2020, which isa continuation of U.S. patent application Ser. No. 15/495,659, filed onApr. 24, 2017, now known as U.S. Pat. No. 10,810,593, issued on Oct. 20,2020, which claims the benefit of U.S. Provisional Patent ApplicationNos. 62/337,711 and 62/335,374, filed respectively on May 12, 2016 andMay 17, 2016, and U.S. Provisional Application Nos. 62/368,448,62/368,406, 62/368,359, 62/368,588, 62/368,572, 62/368,548, 62/368,536,62/368,525, 62/368,512, 62/368,503, 62/368,332, 62/368,298, 62/368,271,filed on Jul. 29, 2016, the disclosures of which are hereby incorporatedherein by reference.

FIELD OF THE INVENTION

The disclosure generally relates to systems, methods, apparatus, andnon-transitory computer readable media to detect account fraud inunstructured transaction sets using heuristic algorithms.

BACKGROUND

Organizations involved in customer service activities often processlarge amounts of unstructured data to make decisions while interactingwith a customer in real-time. For example, in the case of a customerservice representative speaking on the telephone with a customerexperiencing an issue with a product or service, appropriate solutionsmay include a combination of timeliness of response and accuracy incontent.

Such unstructured data may include voluminous transaction recordsspanning decades, unstructured customer service data, or real-timetranscripts of customer service interactions with scattered contextualindicators. To reasonably expect a customer service representative toeffectively leverage such large data sets in real-time places anunreasonable burden on a customer service representative. However,failing to do so robs the customer service representative of vitalcontext not readily apparent, and the wealth of knowledge gainedthroughout the history of an organization that would otherwise need tobe distilled to briefing materials and expensively trained over time.Thus, organizations may value tools to rapidly process large data sets,to infer context, suggest lessons learned based upon transaction data,while learning through successive process iterations. Furthermore,appropriate application of such tools may provide a competitiveadvantage in a crowded and competitive customer service industry.

In an effort to automate and provide better predictability of customerservice experiences, many organizations develop customer relationshipmanagement (CRM) software packages. Organizations that develop thesesoftware packages often develop custom solutions, at great expense, tobest meet the needs of their customers in unique industries. Such toolswhile providing a great level of detail for the customer servicerepresentative, lack the flexibility to react to changing businessconditions or fully exploit the underlying technology, drivingadditional cost into an already expensive solution.

Some organizations where able to make concessions on customizedsolutions turn to off-the-shelf or commercially available softwaresolutions that reduce the overall cost of implementation. Such solutionsmay provide customer service representative prompting tools withquestion and answer formats that allow for consistency of customerexperience, however, at the expense of a less personalized experiencerequired in many industries. While more flexible than fully-customsolutions, the impersonal question-answer format of customer interactionmay not improve without costly software revisions, rarely performed byoriginal equipment manufacturers (OEMs) of off-the-shelf solutions.

The ability for a customer service experience to learn and improve oversuccessive iterations remains paramount for organizations to offerdiscriminating customer service experiences. Often the burden ofcontinual improvement falls to the customer service representative, as ahuman being able to adapt and learn to changing conditions more rapidlyeven within the confines of a rigid customer service softwareapplication. However, with the advent of outsourcing prevalent in thecustomer service industry, the customer service representative may lackmuch of the necessary context required to provide high levels ofrelevant customer service. This lack of context in an interconnectedcompany is less an issue of distance and more an issue of data accessand the ability to contextually process data to present relevantsolutions in a timely manner.

SUMMARY

One exemplary embodiment includes a computer-implemented method,executed with a computer processor, to authenticate a customer identity.The method may include retrieving an un-structured transaction data set,receiving an encoded context, and/or accessing and executing a heuristicalgorithm using the data set and the context. The algorithm may outputan authentication score, a suggested set of authentication questions,and/or a suggested set of authentication answers based upon the data setand the context and update the algorithm in the second memory and thecontext using a correlation factor between the suggested authenticationanswers and a customer response. The method may include additional,less, or alternate actions or functionality, including that discussedelsewhere herein.

Still another embodiment includes a computer-implemented method,executed with a computer processor, that generates an indication ofmoney laundering activity. This embodiment includes retrieving anun-structured transaction set comprising aggregated transaction datathat includes a plurality of users and at least one indication of priormoney laundering activity, receiving a plurality of financialtransactions, and/or accessing and executing a heuristic algorithm togenerate a predicted indication of money laundering activity using thetransaction set and the plurality of financial transactions. Such anembodiment may subsequently generate a compliance report using thepredicted indications of money laundering activity. The method mayinclude additional, less, or alternate actions, including thosediscussed elsewhere herein.

Further exemplary embodiments include a computer-implemented method,executed with a computer processor, that verifies documentation in afinancial deposit transaction. The method may include retrieving, withthe processor, a plurality of document image data. At least one of thedata may include an indication of document fraud. The method may includereceiving a customer document image associated with a deposit accounttransaction, and/or accessing and executing a heuristic algorithm togenerate a correlation between the image characteristics of the customerdocument image and at least one of the document image data. The methodmay also include receiving a notification of actual fraud associatedwith the customer document image and/or updating the algorithm using thecorrelation and the notification. The method may include additional,less, or alternate actions, including those discussed elsewhere herein.

Another embodiment includes a computer-implemented method, executed witha computer processor, that generates an indication of fraudulenttransaction activity within a financial account. The method may includeretrieving an un-structured transaction set comprising aggregatedtransaction data that includes a plurality of users and at least oneindication of fraudulent transaction activity and receiving a pluralityof financial transactions. The method may also include accessing andexecuting a heuristic algorithm to generate a predicted indication offraudulent account activity using the transaction set and the pluralityof financial transactions. The method may include additional, less, oralternate actions, including those discussed elsewhere herein.

Exemplary embodiments may include computer-implemented methods that mayin other embodiments include apparatus configured to implement themethod, and/or non-transitory computer readable mediums comprisingcomputer-executable instructions that cause a processor to perform themethod.

Advantages will become more apparent to those skilled in the art fromthe following description of the preferred embodiments which have beenshown and described by way of illustration. As will be realized, thepresent embodiments may be capable of other and different embodiments,and their details are capable of modification in various respects.Accordingly, the drawings and description are to be regarded asillustrative in nature and not as restrictive.

BRIEF DESCRIPTION OF THE DRAWINGS

The Figures described below depict various aspects of the system andmethods disclosed herein. It should be understood that each figuredepicts an aspect of a particular aspect of the disclosed system andmethods, and that each of the Figures is intended to accord with apossible aspect thereof. Further, wherever possible, the followingdescription refers to the reference numerals included in the followingFigures, in which features depicted in multiple Figures are designatedwith consistent reference numerals.

There are shown in the Figures arrangements which are presentlydiscussed, it being understood, however, that the present embodimentsare not limited to the precise arrangements and instrumentalities shown,wherein:

FIG. 1 illustrates an exemplary computer system to authenticate acustomer in accordance with one aspect of the present disclosure;

FIG. 2 illustrates an exemplary computer-implemented method toauthenticate a customer in accordance with one aspect of the presentdisclosure;

FIG. 3 illustrates an exemplary computer system to detect moneylaundering in accordance with one aspect of the present disclosure;

FIG. 4 illustrates an exemplary computer-implemented method to detectmoney laundering in accordance with one aspect of the presentdisclosure;

FIG. 5 illustrates an exemplary computer system to validate documents inaccordance with one aspect of the present disclosure;

FIG. 6 illustrates an exemplary computer-implemented method to validatedocuments in accordance with one aspect of the present disclosure;

FIG. 7 illustrates an exemplary computer system to detect fraud inaccordance with one aspect of the present disclosure;

FIG. 8 illustrates an exemplary computer-implemented method to detectfraud in accordance with one aspect of the present disclosure;

FIG. 9 illustrates an exemplary computing system to in accordance withone aspect of the present disclosure; and

FIG. 10 illustrates an exemplary article of manufacture in accordancewith one aspect of the present disclosure.

The Figures depict preferred embodiments for purposes of illustrationonly. Alternative embodiments of the systems and methods illustratedherein may be employed without departing from the principles of theinvention described herein.

DETAILED DESCRIPTION

Various embodiments of the present disclosure include the collection ofunstructured data sets together with a current context. Heuristicalgorithms processing these unstructured data sets together the contextmay allow calculation of a future context, and the presentation ofcontext relevant data that improves over time. By subsequently trainingthe heuristic algorithm with the outcome of a current and futurepredicted context, and the relevance of presented data, the heuristicalgorithm may improve its efficiency as the unstructured data set grows.

Although the following text sets forth a detailed description ofnumerous different embodiments, it should be understood that the legalscope of the description is defined by the words of the claims set forthat the end of this patent and equivalents. The detailed description isto be construed as exemplary only and does not describe every possibleembodiment since describing every possible embodiment would beimpractical. Numerous alternative embodiments may be implemented, usingeither current technology or technology developed after the filing dateof this patent, which would still fall within the scope of the claims.

Identity Authentication

FIG. 1 illustrates a block diagram of an exemplary system 100 toauthenticate a customer identity in a financial transaction. Theexemplary system 100 enables a user 105 to interface with a userterminal 110 to transmit a request for a transaction that may require anidentity authentication. Such an request may, in one embodiment, resultfrom an earlier initiation by a customer service representative 130,interfacing with a service terminal 135, interacting through ahuman-machine interface 115. In another embodiment, the financialtransaction may result from a user initiated request, absent therepresentative 130.

The human-machine interface 115 may encode the customer 105 andrepresentative 130 interactions with the respective user terminals 110and service terminal 135 to encode a context in an electronic format,such that a processor 125 reads the context. The processor 125 may inone embodiment include a single processor, or in another embodimentinclude a variety of interconnected processors that operate in concertto efficiently perform tasks in parallel. The processor 125 may, in oneembodiment, interface to a heuristic server 140, and a transactionserver 145, storing respectively, a heuristic algorithm and a set oftransaction data. In other embodiments, the heuristic algorithm and/ortransaction data may reside on the same server.

The computer processor 125 includes an interface to a network interface117, that may in one embodiment include wired and wireless interfaces toallow communication over any variety of computer networks communicatingover a variety of mediums. One such embodiment includes an interface toa network 150, for example a wide-area network such as the Internet,that interconnects any number of computing devices, for example a remotetransaction and/or heuristic server 155, over wired or wirelessnetworks, or over one or more radio frequency links or wireless ordigital communication channels. In another embodiment, the network 150may comprise a local-area network with access controls to a specificentity, such as a business.

In one embodiment, a heuristic engine 120, may comprise thehuman-machine interface 115, computer processor 125, and networkinterface 117. However, in other embodiments the heuristic engine 120may include other digital and analog interface devices, memory devices,and supplemental processing devices for performing calculations andstoring data.

In accordance with one aspect of the present disclosure, the system 100may perform the method 200, as illustrated in FIG. 2 . However, themethod 200 does not, or may not, specifically require the system 100, orthe elements included therein in a particular arrangement, to performthe method steps illustrated in the process 200.

In one embodiment, a customer, for example the customer 105 of FIG. 1 ,may initiate a transaction that may require authentication at step 205.At step 210, a system, for example the heuristic engine 120 of FIG. 1 ,may retrieve a transaction data set related to the customer. Thecustomer may provide additional natural language input relating torecent account use at step 215. The heuristic engine 120 may, at step220, encode a context based the natural language input from step 215, orotherwise, together or in isolation with the transaction data set fromstep 210. At step 225, a processor, for example the processor 125 ofFIG. 1 , may retrieve a heuristic algorithm from the heuristic server140, or otherwise. In one embodiment, the processor 125 may execute theheuristic algorithm with the context and the transaction data set atstep 235.

At step 240, in one embodiment, the processor 125 may generate furtherquestions and expected answers, for example using the heuristicalgorithm, using the available data. A customer service representative,such as the representative 130 of FIG. 1 , may pose further questions tothe customer 105, for example using the terminal 135 and terminal 110.The processor 125 may process a response from the customer 105 andcompare the response against a threshold score to determine anauthentication result. Such a threshold score may indicate a level ofauthentication required to perform the transaction initiated at step205, or otherwise. At step 255, the representative 130 may indicate tothe customer 105 success or failure of authentication, or in anotherembodiment, take subsequent action appropriate given the context of thecustomer service interaction.

Money Laundering Detection

FIG. 3 illustrates a block diagram of an exemplary computer system 300to generate an indication of money laundering activity. The exemplarysystem 300 enables a user 305 to interface with a mobile device 310 toperform a transaction and allows at least one customer servicerepresentative 345 and/or 385, to receive an indication of moneylaundering activity. Such a request may, in one embodiment involve anearlier initiation by a customer service representative 345 and/or 385,interacting with either of the service terminals 335 and 380. In anotherembodiment, the transaction may result from a user initiated request,absent the representatives 345 and 385.

The customer may in one embodiment communicate using the mobile device310 through any of a variety of wireless communication protocols 315using a wireless access point 320 that implements such protocols andtranslates communications into a computer readable format. The wirelessaccess point 320 may connect to a network 325, for example the Internetor a corporate intranet, that likewise interfaces to a remote server 330and a service terminal 335 accessible to a customer servicerepresentative 345, such as via wireless communication or datatransmission over one or more radio frequency links, or wireless ordigital communication channels.

In one exemplary embodiment, a heuristic engine 355 may include anetwork interface 350 that communicatively couples to the network 325,and a computer processor 360. In other embodiments, the heuristic engine355 may include a variety of memory devices, interface devices, andprocessing devices, to execute required functions. The network interface350 may include interfaces to a database server 365 and a serviceterminal 380 used by a customer service representative 385. The computerprocessor 360 may communicatively couple to a heuristic server 370 andtransaction server 375.

In accordance with one aspect of the present disclosure, the system 300may perform the method 400, as illustrated in FIG. 4 . However, in oneembodiment, the method 400 may not, or does not, specifically requirethe system 300, nor do the elements included therein require aparticular arrangement, to perform the method steps illustrated in theprocess 400.

Method 400 may include a regulatory authority demanding an audit reportrelated to money laundering activity on a particular account (block405). In one embodiment, a user, such as the user 305 from FIG. 3 ,initiates a request for an audit report using a mobile device, such asmobile device 310. In one embodiment, the processor 360 may retrieve anunstructured transaction set from the remote server 330, the databaseserver 365, or the transaction server 375. The processor 360 mayretrieve a heuristic algorithm from the heuristic server 370 (block420). In one embodiment, the processor 360 may generate an indication ofmoney laundering activity related to one or more transactions, forexample transactions stored in the transaction server 375.

The processor 360 may execute the algorithm with the retrievedtransaction set and the indication of money laundering activity (block430). In one exemplary embodiment, the processor 360 may generate anaudit report for a regulatory authority. The processor 360 may updatethe algorithm stored in the heuristic server 370 (block 440), forexample using the indication and additional transactions identified ascomprising money laundering activity.

Document Verification

FIG. 5 illustrates a block diagram of an exemplary computer system 500to perform document verification. The exemplary system 500 enables auser 505, using for example a document scanner 510 to transmit documentimages over a computer network 515 to a network interface 525. Thenetwork 515 may include interfaces to a remote server 520, storingdocument image data. A customer service representative 555 may interfacewith a service terminal 550 through a human-machine interface 540communicatively coupled to a processor 530. The network interface 525,computer processor 530, and human machine interface 540 together maycomprise a heuristic engine 535. In other embodiments, the heuristicengine 535 may include a variety of memory devices, interface devices,and processing devices, to execute required functions. The processor 530may interface to a heuristic server 550 and a transaction server 545.

In accordance with one aspect of the present disclosure, the system 500may perform the computer-implemented method 600, as illustrated in FIG.6 . However, in one embodiment, the method 600 does not, or may not,specifically require the system 500, nor do the elements includedtherein require a particular arrangement, to perform the method stepsillustrated in the process 600.

Method 600 may include, in one embodiment, a customer such as the user505 of FIG. 5 , initiates a transaction requiring authentication of adocument (block 605). The processor 530, for example, may retrievedocument image data from, the remote server 520 or the transactionserver 545 in some embodiments (block 610). The user 505 may in someembodiments provide a document image (block 615), and the processor 530may retrieve (block 620) a heuristic algorithm, for example from theheuristic server 550. The processor 530 may execute the algorithm withthe image data and a correlation of the image to an indication of fraud(block 625). In one embodiment, the processor 530 (block 630) maycalculate a probability of fraud, and prompt the user 505.

A service representative 555 may determine if fraud exists (block 635),and the processor may calculate a correlation between the probability offraud and an actual fraud detection (block 640). The processor 530 mayupdate the algorithm stored in the heuristic server 550 with thecalculated correlation (block 645).

Fraud Detection

FIG. 7 illustrates a block diagram of an exemplary computer system 700to perform fraud detection based upon past instances of fraud. Theexemplary system 700 enables a user 705, using for example a cellulartelephone 710 to initiate a transaction that may or may not befraudulent. The cellular telephone 710 may wirelessly communicate to awireless access point 720, via a wireless protocol 715 to a humanmachine interface 725. A customer service representative 760 may use acustomer service terminal 765 to communicate with the user and receivedata. The service terminal 765 may, in one embodiment, communicativelycouple to a network interface 740. The network interface 740 mayinterface to a remote server 755, for example storing fraud instancedata in one embodiment. The network interface 740 and human-machineinterface 725 may communicatively couple to a processor 730, thattogether comprise a heuristic engine 735 in one embodiment. In otherembodiments, the heuristic engine 735 may include a variety of memorydevices, interface devices, and processing devices, to execute requiredfunctions. The computer processor 730 may interface to a heuristicserver 750 and a transaction server 745.

In accordance with one aspect of the present disclosure, the system 700may perform the computer-implemented method 800, as illustrated in FIG.8 . However, in one embodiment, the method 800 does not, or may not,specifically require the system 700, nor do the elements includedtherein require a particular arrangement, to perform the method stepsillustrated in the process 800.

The method 800 includes a user, for example the user 705 of FIG. 7 ,that initiates a financial transaction that may or may not be fraudulent(block 805). The processor 730 may retrieve a transaction setcorrelating aggregated transactions from a plurality of users forexample, with indications of fraud (block 810). In one embodiment, theprocessor 730 (block 820) may retrieve a heuristic algorithm. A user orcustomer may provide context data for current and past transactions(block 815), for example with the cellular telephone 710.

In one embodiment, the processor 730 may execute the algorithm with theaggregated transactions and a current context. The processor 730 maygenerate a probability of fraudulent activity in a current context(block 830). In another embodiment, the service representative 750 mayprompt the customer 705 for additional context, for example related tothe transaction being processed. The processor 730 may update theheuristic algorithm stored in the heuristic server 750 with theprobability (block 840), the current context, and any additional contextavailable.

FIG. 9 illustrates an exemplary computing system 900 in accordance withthe embodiments disclosed in FIGS. 1-8 and 10 . The exemplary computingsystem 900 and components disclosed therein may comprise part, all, ornone of the disclosed embodiments of FIGS. 1-8 and 10 . The system 900includes one or more microprocessors 905, coupled to supporting devicesthrough multi-access busses 925 and 940. Dynamic random access memory930 and 935 may interface to data bus 925, and store data used by theone or more microprocessors 905. The system 900 includes instructionregisters 920 that store executable instructions for the one or moremicroprocessors 905, and data registers 915 that store data forexecution. In some embodiments, the system 900 includes one or morearithmetic co-processors 910, to assist or supplement the one or moremicroprocessors 905.

Data bus 940 includes interfaces to a graphics interface 945 that may insome embodiments process and transmit graphical data for a user on adisplay or similar devices. Likewise, data bus 940 includes interfacesfor a digital I/O interface that processes and transmits, for example,keyboard, pointing device, and other digital and analog signals producedand consumed by users or other machines. A network interface 955processes and transmits encoded information over wired and wirelessnetworks to connect the system 900 to other machines and users. Data bus940 also includes at least one interface to a non-volatile memoryinterface, that may process and transmit data that resides onnon-volatile memory devices.

FIG. 10 illustrates a non-transitory computer readable medium 1005, thatcomprises processor executable instructions 1010. Such processorexecutable instructions may include instructions executed by the one ormore processors 905 of FIG. 9 .

Machine Learning and Other Matters

In certain embodiments, the heuristic engine and algorithms discussedherein may include machine learning, cognitive learning, deep learning,combined learning, and/or pattern recognition techniques. For instance,a processor or a processing element may be trained using supervised orunsupervised machine learning, and the machine learning program mayemploy a neural network, which may be a convolutional neural network, adeep learning neural network, or a combined learning module or programthat learns in two or more fields or areas of interest. Machine learningmay involve identifying and recognizing patterns in existing data inorder to facilitate making predictions for subsequent data. Models maybe created based upon example inputs in order to make valid and reliablepredictions for novel inputs.

Additionally or alternatively, the machine learning programs may betrained by inputting sample data sets or certain data into the programs,such as image, mobile device, insurer database, and/or third-partydatabase data. The machine learning programs may utilize deep learningalgorithms that may be primarily focused on pattern recognition, and maybe trained after processing multiple examples. The machine learningprograms may include Bayesian program learning (BPL), voice recognitionand synthesis, image or object recognition, optical characterrecognition, and/or natural language processing—either individually orin combination. The machine learning programs may also include naturallanguage processing, semantic analysis, automatic reasoning, and/ormachine learning.

In supervised machine learning, a processing element may be providedwith example inputs and their associated outputs, and may seek todiscover a general rule that maps inputs to outputs, so that whensubsequent novel inputs are provided the processing element may, basedupon the discovered rule, accurately predict the correct output. Inunsupervised machine learning, the processing element may be required tofind its own structure in unlabeled example inputs. In one embodiment,machine learning techniques may be used to extract the relevant data forone or more tokenized icons from user device details, user request orlogin details, user device sensors, geolocation information, image data,the insurer database, a third-party database, and/or other data.

In one embodiment, a processing element (and/or heuristic engine oralgorithm discussed herein) may be trained by providing it with a largesample of images and/or user data with known characteristics orfeatures. Based upon these analyses, the processing element may learnhow to identify characteristics and patterns that may then be applied toanalyzing user device details, user request or login details, userdevice sensors, geolocation information, image data, the insurerdatabase, a third-party database, and/or other data. For example, theprocessing element may learn, with the user's permission or affirmativeconsent, to identify the user and/or the asset that is to be the subjectof a transaction, such as generating an insurance quote or claim,opening a financial account, handling a loan or credit application,processing a financial (such as a credit card) transaction or the like.

Additional Considerations

All of the foregoing computer systems may include additional, less, oralternate functionality, including that discussed herein. All of thecomputer-implemented methods may include additional, less, or alternateactions, including those discussed herein, and may be implemented viaone or more local or remote processors and/or transceivers, and/or viacomputer-executable instructions stored on computer-readable media ormedium.

The processors, transceivers, mobile devices, service terminals,servers, remote servers, database servers, heuristic servers,transaction servers, and/or other computing devices discussed herein maycommunicate with each via wireless communication networks or electroniccommunication networks. For instance, the communication betweencomputing devices may be wireless communication or data transmissionover one or more radio links, or wireless or digital communicationchannels.

Customers may opt into a program that allows them share mobile deviceand/or customer, with their permission or affirmative consent, with aservice provider remote server. In return, the service provider remoteserver may provide the functionality discussed herein, includingsecurity, fraud, or other monitoring, and generate recommendations tothe customer and/or generate alerts for the customers in response toabnormal activity being detected.

The following additional considerations apply to the foregoingdiscussion. Throughout this specification, plural instances mayimplement components, operations, or structures described as a singleinstance. Although individual operations of one or more methods areillustrated and described as separate operations, one or more of theindividual operations may be performed concurrently, and nothingrequires that the operations be performed in the order illustrated.Structures and functionality presented as separate components in exampleconfigurations may be implemented as a combined structure or component.Similarly, structures and functionality presented as a single componentmay be implemented as separate components. These and other variations,modifications, additions, and improvements fall within the scope of thesubject matter herein.

Additionally, certain embodiments are described herein as includinglogic or a number of routines, subroutines, applications, orinstructions. These may constitute either software (e.g., code embodiedon a machine-readable medium or in a transmission signal) or hardware.In hardware, the routines, etc., are tangible units capable ofperforming certain operations and may be configured or arranged in acertain manner. In example embodiments, one or more computer systems(e.g., a standalone, client or server computer system) or one or morehardware modules of a computer system (e.g., a processor or a group ofprocessors) may be configured by software (e.g., an application orapplication portion) as a hardware module that operates to performcertain operations as described herein.

In various embodiments, a hardware module may be implementedmechanically or electronically. For example, a hardware module maycomprise dedicated circuitry or logic that is permanently configured(e.g., as a special-purpose processor, such as a field programmable gatearray (FPGA) or an application-specific integrated circuit (ASIC)) toperform certain operations. A hardware module may also compriseprogrammable logic or circuitry (e.g., as encompassed within ageneral-purpose processor or other programmable processor) that istemporarily configured by software to perform certain operations. Itwill be appreciated that the decision to implement a hardware modulemechanically, in dedicated and permanently configured circuitry, or intemporarily configured circuitry (e.g., configured by software) may bedriven by cost and time considerations.

Accordingly, the term “hardware module” should be understood toencompass a tangible entity, be that an entity that is physicallyconstructed, permanently configured (e.g., hardwired), or temporarilyconfigured (e.g., programmed) to operate in a certain manner or toperform certain operations described herein. Considering embodiments inwhich hardware modules are temporarily configured (e.g., programmed),each of the hardware modules need not be configured or instantiated atany one instance in time. For example, where the hardware modulescomprise a general-purpose processor configured using software, thegeneral-purpose processor may be configured as respective differenthardware modules at different times. Software may accordingly configurea processor, for example, to constitute a particular hardware module atone instance of time and to constitute a different hardware module at adifferent instance of time.

Hardware modules may provide information to, and receive informationfrom, other hardware modules. Accordingly, the described hardwaremodules may be regarded as being communicatively coupled. Where multipleof such hardware modules exist contemporaneously, communications may beachieved through signal transmission (e.g., over appropriate circuitsand buses) that connect the hardware modules. In embodiments in whichmultiple hardware modules are configured or instantiated at differenttimes, communications between such hardware modules may be achieved, forexample, through the storage and retrieval of information in memorystructures to which the multiple hardware modules have access. Forexample, one hardware module may perform an operation and store theoutput of that operation in a memory device to which it iscommunicatively coupled. A further hardware module may then, at a latertime, access the memory device to retrieve and process the storedoutput. Hardware modules may also initiate communications with input oroutput devices, and may operate on a resource (e.g., a collection ofinformation).

The various operations of example methods described herein may beperformed, at least partially, by one or more processors that aretemporarily configured (e.g., by software) or permanently configured toperform the relevant operations. Whether temporarily or permanentlyconfigured, such processors may constitute processor-implemented modulesthat operate to perform one or more operations or functions. The modulesreferred to herein may, in some example embodiments, compriseprocessor-implemented modules.

Similarly, the methods or routines described herein may be at leastpartially processor-implemented. For example, at least some of theoperations of a method may be performed by one or more processors orprocessor-implemented hardware modules. The performance of certain ofthe operations may be distributed among the one or more processors, notonly residing within a single machine, but deployed across a number ofmachines. In some example embodiments, the processor or processors maybe located in a single location (e.g., within a home environment, anoffice environment or as a server farm), while in other embodiments theprocessors may be distributed across a number of locations.

The performance of certain of the operations may be distributed amongthe one or more processors, not only residing within a single machine,but deployed across a number of machines. In some example embodiments,the one or more processors or processor-implemented modules may belocated in a single geographic location (e.g., within a homeenvironment, an office environment, or a server farm). In other exampleembodiments, the one or more processors or processor-implemented modulesmay be distributed across a number of geographic locations.

Unless specifically stated otherwise, discussions herein using wordssuch as “processing,” “computing,” “calculating,” “determining,”“presenting,” “displaying,” or the like may refer to actions orprocesses of a machine (e.g., a computer) that manipulates or transformsdata represented as physical (e.g., electronic, magnetic, or optical)quantities within one or more memories (e.g., volatile memory,non-volatile memory, or a combination thereof), registers, or othermachine components that receive, store, transmit, or displayinformation.

As used herein any reference to “one embodiment” or “an embodiment”means that a particular element, feature, structure, or characteristicdescribed in connection with the embodiment is included in at least oneembodiment. The appearances of the phrase “in one embodiment” in variousplaces in the specification are not necessarily all referring to thesame embodiment.

Some embodiments may be described using the expression “coupled” and“connected” along with their derivatives. For example, some embodimentsmay be described using the term “coupled” to indicate that two or moreelements are in direct physical or electrical contact. The term“coupled,” however, may also mean that two or more elements are not indirect contact with each other, but yet still co-operate or interactwith each other. The embodiments are not limited in this context.

As used herein, the terms “comprises,” “comprising,” “includes,”“including,” “has,” “having” or any other variation thereof, areintended to cover a non-exclusive inclusion. For example, a process,method, article, or apparatus that comprises a list of elements is notnecessarily limited to only those elements but may include otherelements not expressly listed or inherent to such process, method,article, or apparatus. Further, unless expressly stated to the contrary,“or” refers to an inclusive or and not to an exclusive or. For example,a condition A or B is satisfied by any one of the following: A is true(or present) and B is false (or not present), A is false (or notpresent) and B is true (or present), and both A and B are true (orpresent).

In addition, use of the “a” or “an” are employed to describe elementsand components of the embodiments herein. This is done merely forconvenience and to give a general sense of the description. Thisdescription, and the claims that follow, should be read to include oneor at least one and the singular also includes the plural unless it isobvious that it is meant otherwise.

The patent claims at the end of this patent application are not intendedto be construed under 35 U.S.C. § 112(f) unless traditionalmeans-plus-function language is expressly recited, such as “means for”or “step for” language being explicitly recited in the claim(s).

The systems and methods described herein are directed to improvements tocomputer functionality, and improve the functioning of conventionalcomputers.

This detailed description is to be construed as exemplary only and doesnot describe every possible embodiment, as describing every possibleembodiment would be impractical, if not impossible. One may be implementnumerous alternate embodiments, using either current technology ortechnology developed after the filing date of this application.

What is claimed is:
 1. A computer-implemented method, comprising:retrieving a transaction set comprising transaction data associated witha plurality of users, and an indication of fraudulent activity;receiving, from a user device, context data associated with atransaction by a user of the plurality of users; executing a heuristicalgorithm to generate an account indication using the transaction set,the indication of fraudulent activity, and the context data; providing,based at least in part on the account indication, a request foradditional context data associated with the transaction; receiving theadditional context data from the user device and based on the request;and training the heuristic algorithm using the account indication andthe additional context data.
 2. The computer-implemented method of claim1, wherein the fraudulent activity comprises an unauthorized withdrawal.3. The computer-implemented method of claim 1, wherein the accountindication corresponds to an unauthorized credit transaction.
 4. Thecomputer-implemented method of claim 1, wherein the transaction setfurther comprises one or more past transactions related to at least oneaccount.
 5. The computer-implemented method of claim 1, wherein thetransaction set is stored in a memory, the memory comprising an externaltransaction server.
 6. The computer-implemented method of claim 1,wherein the heuristic algorithm is stored in a memory, the memorycomprising an external heuristic server.
 7. The computer-implementedmethod of claim 1, further comprising updating the heuristic algorithmusing the account indication
 8. A computer system, the comprising atleast one of one or more processors or one or more transceiversconfigured to: retrieve a transaction set comprising transaction dataassociated with a plurality of users and an indication of fraudulentactivity; receive, from a user device, context data associated with atransaction by a user of the plurality of users; execute a heuristicalgorithm to generate an account indication using the transaction set,the indication of fraudulent activity, and the context data; provide,based at least in part on the account indication, a request foradditional context data associated with the transaction; receive theadditional context data from the user device and based on the request;and train the heuristic algorithm using the account indication and theadditional context data.
 9. The computer system of claim 8, wherein thefraudulent activity comprises an unauthorized withdrawal.
 10. Thecomputer system of claim 8, wherein the fraudulent activity comprises anunauthorized credit transaction.
 11. The computer system of claim 8,wherein the transaction set further comprises one or more pasttransactions related to at least one account.
 12. The computer system ofclaim 8, wherein the transaction set is stored in a memory, the memorycomprising an external transaction server.
 13. The computer system ofclaim 8, wherein the heuristic algorithm is stored in memory, the memorycomprising an external heuristic server.
 14. A non-transitory computerreadable medium, comprising computer readable instructions that, whenexecuted, cause one or more processors to: retrieve, transaction datafor a plurality of users and an indication of fraudulent activity;receive, from a user of the plurality of users via a human machineinterface, context data associated with a transaction; execute aheuristic algorithm to generate an account indication of fraudulentactivity using the transaction data and the context data; provide, basedat least in part on the account indication, a request for the user toprovide additional context data.
 15. The non-transitory computerreadable medium of claim 14, wherein the computer readable instructions,when executed, further cause the one or more processors to: receive theadditional context data via the human machine interface; and train, theheuristic algorithm using the account indication and the additionalcontext data.
 16. The non-transitory computer readable medium of claim15, wherein training the heuristic algorithm further comprises using thecontext data.
 17. The non-transitory computer readable medium of claim15, wherein the computer readable instructions, when executed, furthercause the one or more processors to: update the heuristic algorithmusing the account indication.
 18. The non-transitory computer readablemedium of claim 14, wherein the fraudulent activity comprises anunauthorized credit transaction.
 19. The non-transitory computerreadable medium of claim 14, wherein the transaction data furthercomprises one or more past transactions related to at least one account.20. The non-transitory computer readable medium of claim 14, wherein thefraudulent activity comprises an unauthorized withdrawal.